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Abstract 

SPKI/SDSI is a proposed public key infrastructure standard that incorporates 
the SDSI public key infrastructure. SDSI's key innovation was the use of local 
names. We previously introduced a Logic of Local Name Containment that has a 
clear semantics and was shown to completely characterize SDSI name resolution. 
Here we show how our earlier approach can be extended to deal with a number 
of key features of SPKI, including revocation, expiry dates, and tuple reduction. 
We show that these extensions add relatively little complexity to the logic. In 
particular, we do not need a nonmonotonic logic to capture revocation. We then 
use our semantics to examine SPKI's tuple reduction rules. Our analysis highlights 
places where SPKI's informal description of tuple reduction is somewhat vague, 
and shows that extra reduction rules are necessary in order to capture general 
information about binding and authorization. 
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1 Introduction 



Rivest and Lampson ( |1996| ) introduced SDSI — a Simple Distributed Security Infrastructure- 
to facilitate the construction of secure systems. In SDSI, principals (agents) are iden- 
tified with public keys. In addition to principals, SDSI allows other names, such as 
poker-buddies. Rather than having a global name space, these names are interpreted 
locally, by each principal. That is, each principal associates with each name a set of 
principals. Of course, the interpretation of a name such as poker-buddies may be dif- 
ferent for each agent. However, a principal can "export" his bindings to other principals 
using signed certificates. Thus, Ron may receive a signed certificate from the principal 
he names Joe describing a set of principals Joe associates with poker-buddies. Ron 
may then refer to this set of principals by the expression Joe's poker-buddies. Rivest 
and Lampson ( 1996| ) give an operational account of local names; they provide a name- 



resolution algorithm that, given a principal k and a name n, computes the set of principals 
associated with n according to k. In ( [Halpern and van der Meyden 2001| ), building on 



earlier work of Abadi ( |1998|) , we give a logic LLNC, the Logic of Local Name Contain 
ment, with clean semantics that precisely captures SDSI's operational name resolution 
algorithm. 

However, our earlier work made a number of simplifying assumptions to bring out 
what we saw as the main issues of name spaces. In particular, we (along with Abadi) 
assumed that certificates never expired and were not revoked. SDSI has been incorpo- 
rated into SPKI (jEllison, Frantz, Lampson, Rivest, Thomas, and Ylonen 1999aj; |EUison 



Frantz, Lampson, Rivest, Thomas, and Ylonen 1999b|) , which allows expiry dates for 



certificates and revocation, and deals with authorization and delegation in addition to 
naming. In this paper, we show how our earlier approach can be extended to deal with 
these features of SPKI. 

By not having expiry dates and not allowing revocation, we get a monotonicity prop- 
erty: having more certificates can never mean that fewer keys are bound to a given name. 
Heavy use seems to be made of monotonicity in our earlier work.Q A number of authors 
have developed logical accounts of authorization based on nonmonotonic logics ([Woo and 



Lam 199B| ; |Jajodia, Samarati, and Subramanian 1997| ; |Li, Grosof, and Feigenbaum 1999 



Li, Grosof, and Feigenbaum 2000|) . These are logics where conclusions can be retracted 
in the presence of more information (so that C may follow from A but not from A A B). 
It has been suggested that revocation should be modeled using a nonmonotonic logic (pi 



Grosof, and Feigenbaum 1999|).p] Dealing with nonmonotonicity adds significant compli- 



^inghui Li (200C) has erroneously claimed that LLNC is nonmonotonic. See ( Halpern and van dcr| 



Meyden 2001) for a rebuttal and discussion of this claim 

2 Although it does not go into details about the nonmonotonic features, ( Li, Grosof, and Feigenbaum 



199S ) mentions a logic DL, whose notable features are said to include "The ability to handle non- 
monotonic policies. These are policies that deal explicitly with 'negative evidence' and specify types 
of requests that do not comply. Important examples include hot-lists of 'revoked' credentials .... 'Non- 
monotonic' here means in the sense of logic-based knowledge representation (KR)." Some of the authors 
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cations to a logic, both conceptually and from a complexity-theoretic point of view (see, 
for example, flCadoli and Lenzerini 19941 )). Thus, there is a benefit to using a monotonic 
logic where possible. We show that there is no difficulty capturing expiry dates and revo- 
cation (at least as they appear in SPKI) using a monotonic logic. Interestingly, SPKI's 
semantics maintains monotonicity even in the presence of revocation, in the sense that 
having more certificates (even more revocation certificates) still allows us to draw more 
conclusions about both name bindings and authorizations. (Roughly speaking, this is 
because, in SPKI, a certificate is ignored unless it is known not to have been revoked. 
Having a revocation certificate issued by k covering a certain time t ensures that there 
are no other revocation certificates issued by k covering t, and thus allows us to con- 
clude that certain certificates have not been revoked at time t. Thus, by having more 
revocation certificates, we can draw more conclusions.) 

We remark that, although SPKI is monotonic with respect to adding more certificates, 
it is not monotonic with respect to time. Keys that are bound to a name at time t may 
no longer be bound to that name at time t' > t. (Indeed, this does not require revocation; 
it suffices that certificates have intervals of validity.) 

SPKI gives semantics to certificates by first converting them to tuples, and then 
providing tuple reduction rules, which are used to reduce the tuples to a particularly 
simple form (corresponding to basic name binding and authorization decisions). We 
associate with each SPKI certificate a formula in our logic. Thus, we have two ways of 
giving semantics to SPKI certificates: through tuple reduction and through the logic. 
The focus of this paper is on examining the connection between these two approaches. 
Our analysis highlights places where SPKI's informal description of tuple reduction is 
somewhat vague, and shows that extra reduction rules are necessary in order to capture 
general information about binding and authorization. Besides clarifying ambiguities, the 
logic allows for reasoning about the consequences of certain certifications and general 
reasoning about naming and authorization. (See Section [7| for further discussion of the 
potential uses of the logic.) 

The rest of this paper is organized as follows. In the next section, we briefly describe 
the syntax of SPKI. In Section |3], we describe SPKI's reduction rules. Section f| describes 
the syntax and semantics of our logic for reasoning about SPKI, which extends LLNC 
In Section |^, we prove our main results, which involve characterizing the power of SPKI 
reduction rules in terms of our logic. In Section || we compare our work to several other 
recent approaches to giving semantics to SPKI. We conclude in Section [7| with further 
discussion of the logic. 



of this paper have also taken an alternate position: Li and Feigenbaum (2001) recommend that "a PKI 
should provide an interface that is monotonic" . 
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2 SPKI syntax 



SPKI views authority as being associated with principals, which it identifies with public 
keys. Instead of global names, SPKI has incorporated SDSI's notion of local name space. 
In SDSI/SPKI, a local name such as Joe is interpreted with respect to a principal, and its 
meaning may vary from principal to principal. There is no requirement that a local name 
refer to a unique principal. For example, a local name such as poker-buddies may refer 
to a set of principals. Within its name space, a principal may refer to the interpretation 
of names in another principal's name space by means of compound names. For example, 
a principal may use the expression Joe's poker-buddies to refer to the principals that 
the principal he refers to as Joe refers to as poker-buddies. SPKI calls such expressions 
compound (SDSI) names, and uses the syntax (name ni n 2 . . . n^) , where the n» are local 
names (called basic SDSI names in the SPKI document) for % > 1 and ni is either a 
local name or a key. Such an expression may also be represented as ni's^'s . . . n^. A 
fully- qualified name is one where ni is a key and n.2, . . . ,n*. are local names. While, in 
general, the interpretation of a compound name depends on the principal (so that the 
interpretation of Joe's poker-buddies by key ki depends on kx's interpretation of Joe, 
and may be different from k 2 's interpretation of Joe and Joe's poker-buddies), the 
interpretation of a fully-qualified name is independent of the principal. 

SPKI has other ways of identifying principals. For example, SPKI principals may 
also be the hash of a key, a threshold subject (an expression representing "any m out of 
N of the following subjects", used to capture requirements for joint signatures), or the 
reserved word "Self", representing the entity doing the verification. For simplicity, in 
this paper, the only principals we consider are those defined by compound names. 

There are two types of certificates in SPKI, naming certificates, authorization certifi- 
cates. SPKI also has certificate revocation lists (CRLs); for uniformity, we treat these as 
certificates as well. Again, this seems completely consistent with the SPKI treatment. A 
naming certificate has the form of a cryptographically signed message with contents 

(cert (issuer (name k n)) (subject p) (valid)), 

where k is a key (representing the issuer, whose signature should be on the certificate), 
n is a local name, p is a fully-qualified SDSI name,[| and (valid) is an optional section 
describing validity constraints on the certificate. The (valid) section may describe an 
interval during which the certificate is valid, expressed by means of a "not-before date" 
(expressed in the syntax as (not-before (date))) and/or a "not-after date" (expressed 
as (not -after (date))). It may also describe a sequence of "online test" expressions, 
which specify that the certificate should be verified either by checking a certificate revo- 
cation list (CRL) (intuitively, a list of certificates that have been revoked), by checking 

3 SPKI also allows p to be an unqualified name (that is, a string of local names), but notes that in 
this case it is to be interpreted as k'sp, which is a fully qualified name. For simplicity, we insist upon 
fully qualified names here. 
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a revalidation list (a list of currently valid certificates), or by performing an online test. 
Each of these components is optional. 

In this paper, we assume that the (valid) field contains only validity intervals and 
a key authorized to sign revocation lists relevant to the certificate; the treatment for 
revalidation lists and other online tests is similar and does not add new subtleties.0 We 
represent dates as natural numbers. From the not-bef ore and not-after sections of 
a certificate we may obtain a validity interval V = [t!,t 2 ] where t 1; t 2 G IN U {00} are 
respectively the not-before time and the not-after times indicated. If no not-bef ore time 
is given, we take ti = and, similarly, if no not-after time is given, we take t 2 = 00. 
We assume that ti < t 2 , so that the validity interval is nonempty. We also allow the 
empty interval, which we denote 0. 

For simplicity, we abbreviate naming certificates as (cert k n p V k r ), where V has the 
form [ti, £2] and k r is the key which is authorized to sign CRLs relevant to the certificate. 
The k r component may not be present: if it is, then we say that the certificate is revocable 
by k r . We occasionally write (cert k n p V (k r )) to denote a generic naming certificate 
where k r may or may not be present. A naming certificate binds the fully-qualified 
name p to the local name n in k's local name space during the period V, provided that 
certificate does not appear in any CRLs signed by k r . Binding p to n means that the 
interpretation of n with respect to k includes the meaning of p. For example, if Ron and 
Joe are principals, then the certificate (cert Ron doctor (Joe's doctor) [1,3]) binds 
Joe's doctor to the local name doctor in Ron's local name space from time 1 to time 
3; moreover, this certificate is irrevocable. 

Authorization certificates have the form 

(cert (issuer k) (subject p) (propagate) A (valid)), 

where k is a key, p is a fully-qualified name,f] A is what the SPKI document calls an 
authorization and we call an action expression, since it represents a set of actions, and 
(valid) is a validity section, as described above. The "(propagate)" section is optional. 
Intuitively, the issuer uses such a certificate to grant the subject the authority to perform 
the actions in A. Moreover, if "(propagate)" is present, then the subject is further au- 
thorized to propagate this authority to others.^ We abbreviate authorization certificates 
as (cert k p D A V k r ), where D is a a Boolean (which stands for delegate) indicating 

4 SPKI also allows a certificate to specify a list of locations where the CRL may be obtained (rather 
than requiring that the actual CRL be sent), and to provide http requests to these locations with extra 
parameters, but we ignore these components since they do not interact with the semantic issues we 
address. 

5 SPKI also allows the subject to be an unqualified name. We make the simplifying assumption of 
qualified names just as we did above. 

6 Note that if "(propagate)" is not present, then we treat this as there being no indication of whether 
the subject is authorized to propagate the authority to others, rather than it being the case that the 
subject is not permitted to propagate the authority. This allows it to be consistent for k to issue two 
certificates that are identical except that one contains "(propagate)" while the other does not. Under our 
interpretation, the former supersedes the latter. (This seems particularly reasonable if we assume that 



5 



whether or not propagation is permitted. Again, the k r component is optional, and we 
use (cert k p D A V (k r )) to denote a generic authorization certificate where the k r 
component may or may not be present. 

SPKI takes an action expression A to be an S- expression — a list of strings or sublists. 
It uses AIntersect to denote the intersection of action expressions.^ As we suggested 
above, action expressions are best thought of as sets of actions. We abstract this by 
assuming that there is some set Act of actions and a set A of action expressions that, 
intuitively, represent sets of actions in Act. We assume that A includes all finite subsets 
{ai,...,a n } of Act. Moreover, we assume that, given two action expressions Ai and 
A2 in A, we can easily compute a third action expression in A, denoted Ai n A2, which 
intuitively represents the intersection of the sets represented by Ai and A 2 . (We capture 
this intuition by a semantic constraint below.) The reason that we allow expressions in 
A, rather than just finite subsets of Act, is that SPKI allows (some) expressions that 
represent infinite sets of actions. For example, SPKI allows an action expression of the 
form (ftp ftp.clark.net /pub/cme/*), which allows access to directories ftp.clark.net 
that start with /pub/cme/ (see QFllison, Frantz, Lampson, Kivest, Thomas, and Ylonen 



1999g, Section 6.3.1)). 

We assume that there is a fixed action interpretation that maps action expressions 
in A to subsets of Act. We require that if A is a finite subset of Act, then a^(k) = A, 
and that 04 (Ai H A 2 ) = a^(ki) fl a^(k 2 ). We also assume that we can decide (given ki 
and A 2 ) whether a^{ki fl A 2 ) = a_4(A 2 ) (intuitively, whether Ai denotes a subset of A 2 ). 

A CRL has the form 

(crl (canceled ci,...,c n ) V) 

where the Cj are hashes of certificates.^ It is left implicit that the CRL needs to be signed 
by some key k. For simplicity, we will assume that CRLs contain certificates themselves 
rather than hashes. We abbreviate a CRL as (crl k (canceled ci,...,c n ) V). Intu- 
itively, this says that, according to the issuer k, the certificates Ci, . . . , c n are revoked 
during the interval V. We require that each of the certificates Cj be revocable by k 
(otherwise k is attempting to revoke a certificate that it is not entitled to revoke). 

Let C + (K, N, A) consist of all certificates over (K, N, A) (i.e., where all the keys are 
in K, all the names used are in N , and all the action expressions are in .4); let C(K, N, A) 
be the subset of C + (K, N, A) consisting of all naming and authorization certificates; and 
let C R (K, N, A) be the subset of C + (K, N, A) consisting of all CRLs. 

someone who is seeking permission to perform an action will present those certificates that maximize 
his/her rights.) The SPKI document is silent on this issue. 



7 Howell and Kotz ( Howell and Kotz 2000 ) have noted some problems with intersection for SPKFs 
action expressions (or tags), namely that not all intersections of tags can be represented as a tag. The 
problem can be eliminated by extending the set of tags. We simply avoid the issue here by treating 
action expressions very abstractly, and assuming that they can always be intersected. 

8 SPKI also allows delta-CRLs. We omit these since they do not introduce essentially new semantic 
issues. 
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3 SPKI's tuple reduction rules 



The semantics of SPKI certificates is characterized by a description of the algorithm in- 
voked to verify that a sequence of credentials supports an authorization decision ( [Ellison, 



[Frantz, Lampson, Rivest, Thomas, and Ylonen 1999a| , Section 6). It is left to the prover 



(the agent presenting a set of credentials) to construct an appropriate sequence before 
submitting a request to the verifier. 

Given a set C of naming and authorization certificates and a set C R of CRLs, the 
algorithm first converts these certificates to a set of tuples, and reduces these tuples 
according to certain rules. 

There are two types of tuples: 4-tuples, related to name binding certificates, and 
5-tuples, related to authorization certificates. A 4-tuple has the form (k, n, p, V) where 
the components are exactly as in the first four components of a naming certificate. Sim- 
ilarly, a 5-tuple has the form (k, p, D, A, V) , where the components are exactly as in an 
authorization certificate. Note that neither the 4-tuples nor the 5-tuples mention the 
k r component of authorization certificates. We use r c to denote the 4- or 5-tuple corre- 
sponding to certificate c. 

The first step in the conversion is to check each certificate in C to see if it has 
been revoked. Given a naming certificate c = (cert k n p [to,ti] k r ) and a CRL 
c R = (crl k' r (canceled Ci, . . . , c n ) [t' , t'J), say that c is live with respect to c R if 

1. c is signed by k, and 

2. the following four conditions all hold: 

(a) kr = k' r , 

(b) c R is signed by k' r , 

(c) [t o ,t 1 ]n[t / O) t , 1 ]^0, 

(d) c {ci, . . . , c n }. 

Intuitively, c is live with respect to c R if c is properly signed, the validity component in c 
requires checking a CRL, c R is the certificate appropriate for the CRL and, according to 
the CRL, c has not been revoked. If c is live with respect to c R , define r(c, c R ) to be the 
4-tuple (k n p [t , ti] PI [t , t'J). If c is an authorization certificate, there is an essentially 
identical notion of liveness with respect to c R and corresponding 5-tuples r(c, c R ). We 
leave details to the reader. Define Tuples (C, C R ) to be the set of tuples r(c, c R ) where 
c G C, c R G C R , and c is live with respect to c R , together with the set of tuples r c where 
c G C is irrevocable. 

The mapping r(c, cr) is our attempt to capture the mapping described in ([Ellison 
Erantz, Lampson, Rivest, Thomas, and Ylonen 19994 Section 6), which says: 
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Individual certificates are verified by checking their signatures and possibly 
performing other work. They are then mapped to intermediate forms, called 
"tuples" here. The other work for SPKI or SDSI certificates might include 
processing of on-line test results (CRL, re- validation or one-time validation). 
... If on-line tests are involved in the certificate processing, then the validity 
dates of those on-line test results are intersected . . . with the validity dates of 
the certificate to yield the dates in the certificate's tuple(s). 

Note that the mapping Tuples (C, Cr) is monotonic: if C D C, C' R ~D Cr, then 
Tuples(C", C' R ) D Tuples (C, Cr). Intuitively, a certificate c G C that is revocable by k r 
is considered to be valid at time t if there is clear evidence that c has not been revoked 
by k r at time t, where the "evidence" is that there is a CRL issued by k r that covers 
time t that does not mention c. The absence of a certificate c from any relevant CRL c' 
ensures that the statement being made by that certificate applies during the intersection 
of the intervals of c and c'. 

The intuition that Tuples (C, Cr) consists of the still valid certificates does not hold 
up so well when there can be more than one CRL relevant to the validity of a certificate 
c at a time t. For suppose that c is revoked according to one certificate and not revoked 
according to another. One could reasonably argue that, in this situation, the two CRLs 
are in conflict about whether the certificate has been revoked, and either could apply. 
In particular, the outcome of an authorization decision would depend on which CRL is 
presented in support of a request. To avoid such nondeterminism, SPKI ( [Ellison, Frantz 



[Lampson, Rivest, Thomas, and Ylonen 1999a) , Section 5.2) assumes that at any time, at 



most one CRL applies. We say a set Cr of CRLs is consistent if it is not the case that 
there exist CRLs c, c' G Cr, both issued by k, with validity periods V, V', respectively, 
such that VP V' ^ 0. Restricting to consistent sets of CRLs ensures that it is safe to 
take any relevant CRL not containing a certificate as evidence for the validity of that 
certificate, since there cannot exist a CRL contradicting this conclusion. This assumption 
supports the monotonicity of Tuples (C, Cr), and is essentially what allows us to use a 
monotonic logic, even in the presence of revocation.^ 

The semantics of SPKI given in ( [Ellison, Frantz, Lampson, Rivest, Thomas, and 



Ylonen 1999a|) is in terms of tuple reduction. However, the presentation of how the tuples 
are intended to be used to make an authorization decision is not completely formal. 
( [SPKI Working Croup 1998| , Section 6) states that "Uses of names are replaced with 



simple definitions (keys ...), based on the name definitions available from reducing name 
4-tuples" and that "Authorization 5-tuples are then reduced to a final authorization 
decision" . The rule for 5-tuple reduction required for the latter step is explicitly described 
(in ( [Ellison, Frantz, Lampson, Rivest, Thomas, and Ylonen 19994 Section 6.3)); it 
combines two 5-tuples to produce another 5-tuple: 

9 Of course, in practice, it may well be that a set of CRLs is inconsistent. Both the SPKI document 
and our paper are silent on what to do in this case. 
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Rl. (ki, k 2 , true, A 1; Vi) + (k 2 , p, D 2 , A 2 , V 2 ) — > (k 1; p, D 2 , A : n A 2 , V : n V 2 ).Q 

Intuitively, if ki permits k 2 to delegate authority to the actions in Ai during Vi and k 2 
gives p authority over the actions in A 2 (and to further delegate authority, if D 2 is true) 
for the interval V 2 , then this is tantamount to k x giving authority to p over the actions 
in Ai H A 2 (and to further delegate authority, if D 2 is true) for the interval Vi fl V 2 . 

The way that 4-tuples are to be reduced is slightly less transparent. The discussion 
of 4-tuple reduction in flEllison, Frantz, Lampson, Kivest, Thomas, and Ylonen 1999a , 
Section 6.4) does not describe rules by which 4-tuples may be reduced, but rather shows 
how fully qualified names may be rewritten using 4-tuples. However, the discussion 
suggests the following rule for 4-tuple reduction: 

R2. (ki^^'sm's^Vi) + (k 2 ,m,k 3 ,V 2 ) — ► (k 1; n, k 3 'sp, Vj n V 2 ). 

We allow p to be the empty string in this rule, treating an expression of the form r'sp as 
equal to r in this case, to avoid the need for stating the rule that results from replacing 
k 2 'sm'sp by k 2 'sm and replacing k 3 'sp by k 3 . We use this convention in stating other 
rules too. Intuitively, this rule says that if ki'sn is bound to k 2 'sm'sp for the interval Vi, 
and k 2 'sm is bound to k 3 for the interval V 2 , then ki'sn will be bound to k 3 'sp for the 
interval Vi fl V 2 . 

The SPKI document also considers a generalization of this rule: 
R2'. (ki^^a'sm's^Vi) + (k 2 ,m,q,V 2 ) — ► (ki, n, q'sp, Vi D V 2 ). 

We consider in Section |5| the role of R2 vs. R2'. 

The step of the authorization decision process described as "Uses of names are re- 
placed with simple definitions (keys ...), based on the name definitions available from 
reducing name 4-tuples" is not further formalized. However, the following rule seems to 
capture this intuition: 

R3. (k^ka'sn'sp^Vi) + (k 2 ,n,k 3 ,V 2 ) — > (k 1; k 3 'sp, D, A, Vi n V 2 ). 

Again, it is possible to generalize R3 much the same way as R2' generalizes R2. 

R3'. (k 1 ,k 2 'sn'sp,D,A ) V 1 ) + (k 2 ,n,q,V 2 ) — ► (k 1; q'sp, D, A, Vi D V 2 ). 

As we shall see, the question of whether we use R2/R3 or R2'/R3' has a nontrivial 
impact on the type of conclusions we can draw using tuple reduction; see, for example, 
Theorems |5.2| and |5.6| . 

10 SPKI uses Vintersect to denote the intersection of timing expressions; we use the simple fl symbol 
here. The intersection of timing intervals is defined in the obvious way. If Vi n V2 is empty, then 
Vi l~l V2 = 0, since we are using to denote the empty interval. 
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SPKI intends that the tuple reduction rules play several different roles. Besides being 
used for specific authorization decisions, the tuple reduction process is intended to serve 
as a means of derivation of consequences of a set of certificates that can form the basis of 
a "certificate result certificate" that captures a set of authorizations that may be derived 
from a collection of certificates ( [Ellison, Frantz, Lampson, Rivest, Thomas, and Ylonen| 



1999a , Section 6.6). As we shall see, in a precise sense, Rl-3 suffice for making specific 



authorization decisions at a given time. However, to derive more general consequences 
of a set of certificates, we need to consider R2' and R3', as well as other rules discussed 
in Section In the next section, we provide a semantics for SPKI that lets us provide 
semantics for the reduction rules; we then use that semantics in Section || to carefully 
examine the rules. 



4 A logic for reasoning about SPKI 

We now define a formal language Cspki (K, N, A) for reasoning about SPKI. Cspki (K, N, A) 
is an extension of the language LLNC defined in ( [Halpern and van der Meyden 2001| ). 
The parameters N and A (the set of names and the set of action expressions) do not play 
a significant role. However, for some of our results, the cardinality of the set K does play 
a role. To simplify the notation, we often omit the parameters that play no significant 
role, and write, for example, Cspki or Cspki (K). We do the same in all other contexts 
where these parameters are used. 



4.1 Syntax 

Following (Halpern and van der Meyden 2001| ), given a set K of keys and a set N of 
local names, we define a principal expression (over K and N) to be either a key in 
K, a local name in N, or an expression of the form p'sq where p and q are principal 
expressions. The compound names of SPKI/SDSI can be viewed as principal expressions. 
Note that parenthesization matters for principal expressions; for example, (n 1 'sn 2 )'sn3 
is different from ni's (n2'sri3). However, our semantics guarantees that the combination 
of names is associative, so that, in fact, the two principal expressions are equivalent 



(see Lemma \i.2[ For definiteness, we assume that all principal expressions that arise in 
naming and authorization certificates are parenthesized to the right .rj 

The primitives of Cspki {K, N, A) consist of 

• principal expressions over K and N; 

• the set C + (K, N, A) of naming, authorization and revocation certificates that can 
be formed from K, N, and A; 



n Recall that, in SPKI, names are just written as (name ni ... n k ), so there is no parenthesization 
involved at all. 
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• a special constant now; 

• validity intervals V consisting of pairs [t 1; t 2 ] of times in IV U {00} with ti < t 2 , 
together with the empty interval 0. 

The set of formulas of Cspki (K, N, A) is the smallest set such that 

1. if p and q are principal expressions then p 1 — > q is a formula; 

2. if c G C(K, N, A), then c and applic(c) are formulas; 

3. if k is a key, p is a principal expression, and A £ A, then Perm(k, p,A) and 
Del(}i, p, A) are formulas; 

4. now G V is a formula; 

5. if <f>, if) are formulas then -xf> and <fi A ip are formulas. 



Intuitively, p 1 — > q says that all the keys in q are bound to p. Since principal 
expressions are associated with sets of keys, this just says that the keys associated with q 
are a subset of those associated with p. The formula c is true at a time t if the certificate 
c was issued before t. (To make sense of this, the semantic object which determines 
whether formulas are true must include a list of the certificates that have been issued 
and the current time.) The formula applic(c) is true at a time t if c is either irrevocable 
or if it is revocable, but is known not to have been revoked at time t. Although we read 
applic(c) as "c is applicable", it is worth noting that applic(c) could be true at time t 
even if c was not issued before time t or its validity interval does not include t. There 
are other formulas in the logic that enable us to say that c has been issued (namely, the 
formula c) and that the current time is in a given validity interval (namely, now G V). 
Finally, as the notation suggests, the formula Perm(k, p,A) says that k permits p to 
perform the actions in A and Del(k, p, A) says that k permits p to delegate authority 
over the actions in A. 

LLNC can be viewed as the fragment of Cspki where the only certificates allowed are 
those of the form (cert k n p), which corresponds to the LLNC formula k cert n 1 — ► p. 
There are no formulas in LLNC of the form now G V, Perm(k, p, A), Delfe, p, A), or 
applic(c) (since there is no notion of time in LLNC, and permission, delegation, and 
revocation are not treated) .0 

12 LLNC does allow formulas of the form k cert <fi for arbitrary formulas cf>. However, if (j> is not of 
the form n 1 — > p, then such formulas do not interact with the other constructs under the semantics of 
(Halpern and van der Meyden 2001). Thus, LLNC does not gain additional expressive power from such 
formulas. 

Following SDSI, LLNC also has a notion of a global name. Since global names have been omitted in 
SPKI, we omit them in Cspki as well. 



11 



4.2 Semantics 



The semantics for Cspki extends that of LLNC We begin by outlining the main compo- 
nents of the semantic model. 

In LLNC, there is a notion of a world. A world essentially describes which certificates 
have been issued. Since now we have time in the picture, we need a temporal analogue of 
a world. This is a run. Formally, a (K, N, A)-run is a function r : IV — > V(C + (K, N,A)). 
(We use V(X) to denote the set of subsets of X here and elsewhere). We are implicitly 
assuming a global clock and are taking time with respect to that global clock. Intuitively, 
r(t) is the set of appropriately signed certificates issued at time t. That is, if c is a 
certificate, then c G r(t) if a certificate with contents c is issued at time t in run r. For 
compatibility with the SPKI document, we assume that the set of revocation certificates 
issued in r (that is, the set of revocation certificates in U t ew^(t)) is consistent: there 
cannot be two CRLs with the same issuer whose validity intervals overlap. 

As we said before, we assume that there is a set A of action expressions, which 
represent sets of actions in a set Act, and a fixed action interpretation that maps 
expressions in A to subsets of Act. 

To interpret local names, LLNC has a construct called a local name assignment that 
associates with each key k and local name n the set of keys bound to n by k. There is an 
analogous function here, but it now takes a time as an argument, since the association 
may vary over time. In addition, to take into account the new constructs in Cspki, there 
is a function that associates with each key k, local name n, and time t the set of actions 
that k has granted each other principal permission to perform, and describes whether or 
not that permission can be delegated. These functions can be extended from local names 
to all principal expressions; see below. 

Formally, 

• a (temporal) local name assignment (for K and N) is a function L : K x N x IV — » 
V(K). Intuitively, for k G K, n G iV and t G IN, the set L(k, n, t) contains the 
keys associated at time t with the name n in k's name space. 

• a (temporal) permission/delegation assignment (for K and Act) is a function P : 
K x IV x K x Act -> {0, 1, 2} such that if P(k a , t, k 2 , a) = 2 and P(k 2 , t, k 3 , a) = i, 
then .P(ki, t, k3, a) > i. Intuitively, P(k, t, k', a) is if at time t, k has not granted 
k' the right to perform or delegate a; it is 1 if principal k has granted permission 
to principal k' to perform action a; it is 2 if, in addition, principal k has delegated 
authority to principal k' to propagate the right to perform action a.0 The meaning 
of the right to propagate is captured by the condition above: if, at time t, ki has 
granted k 2 the right to propagate permission to perform a, and k 2 has granted 



13 As noted in ( 5PKI Working Group 1998 ), there is not much point to having a principal able to 
propagate the right to perform an action without having the right to perform it, since the principal may 
always grant itself that right . 
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permission to perform (propagate) a, then, according to k 1; principal k 3 has the 
right to perform (propagate) a. The reason that the condition says P(ki, t, k 3 , a) > 
% rather than P(k 1; t, k 3 , a) = % is that if % = 1, for example, it is possible that kx 
independently granted k 3 the right to delegate a, so that P(ki, t, k 3 , a) = 2. 

A (K, N, Act) interpretation n is a tuple (L, P) consisting of a local name assign- 
ment L for K and N and a permission/ delegation assignment P for K and Act. We 
omit the modifier (K, N, Act) when it is not relevant to the discussion. However, it is 
important to note that the parameters that characterize the language also characterize 
the interpretations. 

Given a local name assignment L, a key k, and a time t G IN, we can assign to each 
principal expression p a set of keys [p]z,.k,t- This set is defined by the following recursion: 

• [k']z,k,t = {k'}, if k' G K is a key, 

• [ n ]L,k,t = £(k, n, t), if n G iV is a local name, 

• [p'sqk k ,t = U{[qW,t |k'G[pk k)t }. 

This definition is essentially identical to that in ([Abadi 1998|; [Malpern and van der 



Meyden 200 1| ), except that we have made the interpretation of local names depend on 
the time of evaluation. 

It is now easy to prove some basic facts about principal expressions. First, we can 
show that a fully- qualified name is independent of the key. 

Lemma 4.1: If p is a fully qualified principal expression, then [pkk.t — [pkk'.t f or a ^ 
keys k and k'. 

Proof: By an easy induction on the structure of p. | 

We also make precise our claim that the combination of names is associative. 

Lemma 4.2: For all principal expressions pi, p2, and p 3 , keys k, and local name assign- 
ment L, 

[Pl's(p2'sp 3 )kk,t = [(Pl'sp 2 )'sp3kk,f 

Proof: By unwinding the definitions, it immediately follows that both [pi's (p2'sp3)]i,k,t 
and [(pi'sp 2 )'sp 3 ] Lik)t are equal to 

U{[p 3 kk 2 ,t : k 2 G [pakk^ki G [pikk.t}- 



In order to capture the impact that CRLs have on the interpretation of naming and 
authorization certificates, we say that a certificate c is applicable at time t in a run r 
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if either c is not revocable, or c is revocable by a key k r and for some t' < t we have 
(crl k r (canceled c 1; . . . , c n ) V) G r(t') for some (c 1; . . . , c n ) such that c is not one of 
the Cj, and t 6 V. Roughly speaking, this says that c is applicable at time t if has been 
declared not to have been revoked at t (under the assumption that at most one CRL is 
applicable at any given time). Note that a certificate c may be applicable at a time t 
outside its validity interval. 

We now define what it means for a formula to be true at a run r with respect to 
an interpretation tt = (L, P), a key k, and a time t, written r, 7r, k, t \= 0, by induction 
on the structure of 0: 

• r, tt, k, t |= p i — > q if [p] L ,k,t 2 [q]L,k,t, 

• r, 7r, k, t |= c if c G r(t') for some t' < t, 

• r, n, k, t |= Perm(ki,p, A) if for all k 2 G [p].L,ki,t an d & U a £ QU^), we have 
P(k 1 ,t,k 2 ,a) > 1, 

• r, 7r, k, t |= £>e/(k!,p,A) if for all k 2 G [p]L,ki,t and ah a £ «^(^)> we have 
P(k 1 ,t,k 2 ,a) = 2, 

• r, 7r, k, t |= now G V if t G V, 

• r, 7r, k, t |= applic(c) if c is applicable at time t in r, 

• r, 7r, k, t |= A -0 if r, 7r, k, t |= and r, 7r, k, t |= ip, 

• r, 7r, k, t |= -i0 if not r, 7r, k, t |= 0. 

We write r, it \= if r, tt, k, t |= for all principals k € if and all times t G W. 

In the definitions so far, there is no connection between the run and the interpre- 
tation. Intuitively, we would like the interpretation, which contains information about 
the meaning of local names and permissions and delegations, to be determined from the 
information about the certificates that have been issued at each point in time that is 
represented in the run. We connect these ideas by means of the following definition. The 
interpretation n = (L, P) is consistent with a run r if, for all times t G IV, 

1. for all naming certificates c = (cert k n p V (k r )) in U t '< t r(t'), if t G V and c 
is applicable at t in r, then [n] L)kjt D [p]i, jk , t ; 

2. for all authorization certificates c = (cert k p D A V (k r )) in U t /< t r(t'), if t G V 
and c is applicable at t in r, then for all a G 04(A) and all keys k' G [p]z,,k,t, we 
have 

(a) P(k,t,k',a)>l, 

(b) if D = true then P(k, t, k', a) = 2. 
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In general, an interpretation can be consistent with a run while allowing facts to hold 
that do not follow from the certificates issued in the run. For an extreme example of this, 
let r be the run in which no certificates are ever issued, and suppose that tt is the maximal 
interpretation, where L(k, n, t) = K and P(k, t,k',a) = 2 for all keys k, k', local names 
n, actions a, and times t. Then 7r is consistent with r. This is undesirable. Intuitively, 
we would like facts concerning rights and the meaning of local names to hold only if they 
are forced to do so by some certificate. To enforce this, we restrict the interpretation to 
be the minimal one consistent with the run. Our technique for doing so extends that 
used in ( |Halpern and van der Meyden 20(H| ). 

Formally, define an order < on (K, N, Act) interpretations by (L, P, ) < (L' , P') if, 
for all keys k, local names n, and times t, we have L(k, n, t) C L'(k, n, t) and for all 
keys k' and actions a, we have P(k,t,k', a) < P'(k, t, k', a). Thus, (L,P) < (L',P') if, 
for all n, k, and t, at least as many keys are bound to n by k at time t in V as in L. 
In addition, at least as many keys are authorized to perform action a by k at time t in 
P' as in P and, of those keys authorized to perform the action a, at least as many can 
delegate that authority in P' as in P. 

This order can easily be seen to give the set of (K, N, Act) interpretations the structure 
of a lattice. Say that an element tt of a set S of interpretations is minimal in S if ir < tt' 
for all tt' G S. 

Proposition 4.3 : For every run r, there exists a unique (K, N, Act) interpretation 
minimal in the set of (K, N, Act) interpretations consistent with r. 

Proof: See the appendix. | 

We write tt t for the minimal interpretation consistent with r. Intuitively, in the 
minimal interpretation consistent with r, there are no name bindings, permissions, or 
delegations that are not forced by r. Enforcing the requirement that the interpretation 
should be the minimal one consistent with the run leads to a variant of the semantics 
discussed above. We write r, k, t |= c if r, ir r , k, t |= <p. We say that a formula (p is cl- 
valid (with respect to K, N, Act) in £ S pki(K, N, Act), written \= c i,K,N,Act 0; if r ; k, t \= c <j> 
for all (K, N, Act)-r\ms r, keys k G K, and times t. (The "cl" stands for closed, since in 
( [Halpern and van der Meyden 200 1|) the semantics corresponding to |= c / is termed the 
closed semantics, while the semantics corresponding to |= was termed the open semantics. 
We use "cl" here rather than "c" as in ( [Halpern and van der Meyden 200 1| ) to denote 
the closed semantics, to avoid confusion with c, which ranges over certificates.) The 
closed semantics is the one of most interest to us here, since it enforces the desired close 
connection between the certificates actually issued and the name bindings, permissions, 
and delegations. The open semantics is mainly used as a stepping-stone to defining the 
closed semantics. Validity with respect to the open semantics can also be viewed as 
capturing what is guaranteed to hold, no matter what additional certificates are issued. 
Interestingly, as shown in ( [Halpern and van der Meyden 2001| ) , validity with respect to 
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the open and closed semantics coincide for the logic LLNC We believe that they also 
coincide for the logic Cspki, although we have not checked carefully. 

It is not hard to check that the subscripts iV and Act play no role in \= c i,k,n,a', if a 
formula is valid for some choice of iV and Act (for a fixed K) , then it is valid for all choices 
of N and Act. However, as observed in ( Halpern and van der Mcydcn 200 1|) (where a 
complete axiomatization for LLNC was provided), the axioms do depend on the choice 
of K; in particular, they depend on the cardinality of K. For example, suppose K has 
just one element, say k. Then it is easy to see that \= c i,K,N,Act n 1 — ► k =>- k'sn i — > k'sm, 
for all n, m G N. Since n is bound to k, it follows that the interpretation of k'sn must 
be {k}, since k is the only key. Thus, the interpretation of k'sn must be a superset of 
interpretation of k'sm, and so k'sn i — > k'sm holds. However, this argument depends 
critically on the assumption that K = {k}. The formula n i — > k k'sn i — > k'sm is not 
valid if there are at least two keys: If k' is a key distinct from k, then it is possible that 
k' is bound to k'sm and not bound to k'sn. In light of this discussion, we omit iV and 
Act from the subscript from here on in, but include K when it plays an important role. 

We can now make precise the intuition that in the minimal interpretation only name 
bindings and permissions and delegations forced by r hold. Define the formula associated 
with the naming certificate c = (cert k n p V (k r )) to be 

now 6^4 (k'sn i — > p). 

Similarly, the formula associated with the authorization certificate c = (cert k p D A V (k r 
is 

now G V [Permik, p, A) A (D Del (la, p, A))]. 
Let 4> c be the formula associated with certificate c G C. 

Proposition 4.4: The interpretation tt is consistent with a run r iff for all times t G IN, 
keys k G K , and c G C, we have r, 7T, k, t \= c A applic(c) =>- <p c . 

Proof: Immediate from the definition of consistency. | 



Note that it follows from Proposition (O that if n is an interpretation consistent with 



run r and a certificate c G C was issued in r at or before time t and remains applicable 
at t, then r, 7r,k, t |= <p c . Moreover, the minimal interpretation associated with r is the 
minimal intepretation 7r satisfying r, tt, k, t |= <f) c for all certificates c G C that have been 
issued in r at or before time t and remain applicable at t. In this sense, the formulas 
associated with certificates precisely capture their meaning. It is also worth noting that 
\= c i c A applic(c) =^> C for all c G C. 



5 Soundness and completeness of tuple reduction 

We are now in a position to compare the SPKI tuple reduction rules to our semantics. 
Intuitively, we would like to understand tuple reduction as drawing inferences about the 
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run based on evidence provided in the certificates presented to the verifier. Thus, we want 
to show that all conclusions based on tuple reduction are true under our semantics and, 
conversely, all valid conclusions about bindings and authorizations that follow from the 
issuing of certain certificates are derivable from those certificates using tuple reductions. 
More precisely, we want to show that, given a finite set C U Cr of certificates, where 
C consists of naming and authorization certificates and Cr consists of CRLs, we have 
\=d (/\ c 'ecuc* H c ') =** 0c iff T c can be derived from the tuples in Tuples (C, Cr), using the 
tuple reduction rules. This can be broken up into two questions: 

• soundness: if r c can be derived from the tuples in Tuples(C, Cr) using the tuple 
reduction rules, then \= c i (/\ c 'ecvjc R c ') => 4>c', 

• completeness: if |= c / (A c ' e c*uc fl c/ ) => 0c then r c can be derived from the tuples in 
Tuples(C, Cr) using the tuple reduction rules. 

Of course, whether soundness and completeness hold depend in large part on which 
reduction rules are used. We are particularly interested in questions such as whether 
R2' and R3' are needed to derive all conclusions of interest about certificates and, if not, 
what conclusions they can be used to derive. 

Showing that the tuple reduction rules discussed earlier are sound with respect to the 
Cspki semantics is straightforward. To make this precise, if T is a set of tuples and r is 
a tuple, we write T — >q t if there exists a sequence of tuples Ti, . . . , r k such that r k = r 
and for each i < k either Ti E T or there exist j, j' < i such that Tj + Ty — > Ti is an 
instance of one of Rl, R2, or R3. 



Theorem 5.1: Suppose that C is a finite subset of C, Cr, is a finite set of CRLs, and 
c G C. If Tuples (C,C R ) — >* T G , then \= c (Ac'ecuc^ c ') => 0c- 



Since Theorem |5.1| is a special case of a more general soundness result, Theorem ^3 
we defer the proof until after the statement of the latter theorem. 

Completeness is not at all straightforward; indeed, it does not hold for R1-R3. What 
does hold is a weak version of completeness. To understand this in more detail, we need 
a few definitions. 

A concrete certificate is one whose corresponding tuple has the form (k, n, k', [t,t]) 
(in the case of naming certificates) or (k, k',D, {a}, [t,t]) (in the case of authorization 
certificates). That is, concrete certificates talk about the keys that are bound to names 
and the keys that are authorized to perform certain actions, and are concerned only with 
a single point in time and single actions. 

The following result shows that Rl, R2, and R3 suffice in a certain sense to deal with 
concrete certificates. We say that a naming certificate with 4-tuple (k, n, p, V) subsumes a 
naming certificate with 4-tuple (k, n, p, V') if V D V'. Similarly an authorization certificate 
with 5-tuple (k, p, D, A, V) subsumes an authorization certificate with 5-tuple (k, p, D', A', V') 
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if V D V' and Oa(A) D a^(A') and D D' is valid. (Recall that we have assumed that it 
is possible to tell if one action expression is a superset of another.) Clearly if c subsumes 
c', then \= d <p c C /. 



Theorem 5.2: If c is a concrete certificate, C is a finite subset ofC, Cr is a finite set 
of CRLs, and \= c (^A c 'ecuc R c ') =^ 0c, then there exists a certificate d that subsumes c 
such that Tuples(C, Cr) — >q t c >. 



Proof: See the appendix. | 

Theorem |5.2| tells us that if all we want to do is to check if a given key is currently 
bound to a given name or if a given key is currently authorized to perform a given 
action, then R1-R3 essentially suffice. (Clarke et al. ( |2001| ) establish a closely related 
result. They define the semantics of names operationally using just R2' (which they call 
rule composition) , and then establish that all conclusions about whether a given key is 
bound to a given name can be derived using just R2.) 

However, R1-R3 do not suffice if we want to do full-fledged reasoning about the 
consequences of a set of certificates. For example, in general, R1-R3 may not suffice to 
draw a conclusion of the form k'sn i — > p, where p is an arbitrary principal expression, 
even though it may be a logical consequence of the certificates issued. Such conclusions 
are of interest in the context of "certificate result certificates" ( ([Ellison, Frantz, Lampson^ 



Rivcst, Thomas, and Ylonen 1999a), Section 6.7), which are new certificates stating 



facts that are consequences of a set of certificates previously issued. Certificate result 
certificates help to reduce the amount of work a relying party needs to do when processing 
a request. 

There are three impediments to getting a full completeness theorem that is a converse 



to Theorem |5.1| . The first two are easily dealt with by adding rules. 

First, we want to get rid of the restriction that allows conclusions only about keys. 
R2 and R3 do not suffice for this. For example, let c 1; c 2 , and c 3 be irrevocable naming 
certificates whose corresponding 4-tuples are (k 1; n, k 2 'sm'sp, [t,t]), (k 2 ,m, q, [t,t]), and 
(ki,n, q'sp, [t,t]), respectively. Clearly \= c i ci A c 2 =>■ 4> C3 - However, we cannot get t C3 
from r Cl and r C2 , since the only rule that could possibly be of help, R2, applies only to 4- 
tuples whose third argument is a key. To deal with this problem, we need R2'. Similarly, 
R3' is needed to deal with the analogous problem for R3. We also need the following 
trivial axiom to deal with a special case: 

RO. — > (k,n,k'sn, [0,oo]). 

(The fact that there is nothing to the left of the — > is meant to indicate that the 
conclusion on the right-hand side can be reached in all circumstances.) 

A naming certificate is point-valued if its time interval has the form [t,t]. A concrete 
certificate is point-valued but a point-valued naming certificate can have as its third 
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component an arbitrary fully- qualified expression. As we shall see, RO, Rl, R2', and 
R3' essentially suffice to get us conclusions about point-valued naming certificates, but 
do not suffice to get us conclusions about arbitrary time intervals and sets of actions. 
To see that they do not suffice, consider three irrevocable naming certificates ci, c 2 , 
and c 3 whose corresponding 4-tuples are (k, n, p, [1, 2]), (k, n, p, [3, 4]), and (k, n, p, [1, 4]). 
Clearly \= d c\ A c 2 =>■ 4> C3 . However, we cannot get r C3 from r ci and r C2 , since none of 
the reduction rules increase the size of intervals. Similar issues arise with 5-tuples. 

There are a number of ways to deal with this. Perhaps the simplest is just to add the 
following reduction rule: 

R4(a). (k, n, p, V x ) + (k, n, p, V 2 > — > (k, n, p, V 3 ) if Vi U V 2 D V 3 . 

R4(b). (k, p, D, A, Vi) + (k, p, D, A, V 2 ) — > (k, p, D, A, V 3 ) if Vi U V 2 D V 3 . 

R4(c). (k, p, Di, Ai, V) + (k, p, D 2 , A 2 , V) — > (k, p, D 3 , A 3 , V) if D 3 D x A D 2 is a tautology and 
oa(Ai) U a A (k 2 ) D a A (h 3 ). 

Note that the rule 

(k,n,p,Vi) — > (k,n,p,V 3 ) if Vi D V 3 

is a special case of R4(a) (taking Vi = V 2 ). Similar comments apply to R4(b) and R4(c). 
How easy it is to apply R4(c) depends on how easy it is to check that au(Ai) U au(A 2 ) D 
au(A 3 ). If action expressions can represent infinite sets of actions, this may be nontrivial. 
We do not address this issue here. Of course, it is trivial to determine if Vi U V 2 D V 3 . 

We write T — >\ r (resp., if T — > 2 r) if there is a derivation of r from T using rules 
RO, Rl, R2', and R3' (resp., RO, Rl, R2', R3', and R4). There is no difficulty showing 
that — >2 is sound. Note that the soundness of — >q and — >\ follow as special cases. 

Theorem 5.3: Suppose that C is a finite subset of C, Cr is a finite set of CRLs, 
and c G C. If Tuples (C, C R ) — > 2 r c , then \= c (A c ' 6 cuc fl c ') 0c- In fact, if n 
is an interpretation consistent with a run r and Tuples(C, Cr) — ^ 2 r c , then r, 7r |= 
(Ac'ecuc R c') C . 

Theorem |5.3| follows easily from the following two propositions, whose straightforward 
proof we leave to the reader. The first shows that the process of transforming a set of 
certificates into a set of tuples corresponds to a valid inference in the logic. 

Proposition 5.4: Suppose that ci is a revocable certificate in C, c 2 is a CRL such that 
Ci is live with respect to c 2 , and c 3 = r(ci, c 2 ). Then if tt is an interpretation consistent 
with a run r and Tuples(C, Cr) — > 2 t c , then r, 7r |= ci A c 2 =>- C3 . Similarly, if c is an 
irrevocable certificate in C, then r, tt \= c <p c . 

The second proposition shows that single reductions are sound with respect to the 
closed semantics. 
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Proposition 5.5: Suppose that c 1; c 2 , and c 3 are certificates and r Cl + r C2 — > r C3 zs an 

instance of Rl, R& ', R3 ', or R4- Then 

\=c C1 A C2 C3 . 

Moreover, if — > r c an instance of RO, then \= c C . 

As we show shortly, R4 (together with RO, Rl, R2', R3') suffices for completeness 
provided that the set of keys is infinite. It does not suffice if the set of keys is finite. 
As we have seen, the set of valid formulas depends on the cardinality of the set K of 
keys. Consider the very simplest case where K consists of only one key k. Suppose that 
m and n are names in N. Let c and c' be irrevocable naming certificate whose 4-tuples 
are (k, n, k, V) and (k, n, k'sm, V), respectively. It is easy to see that \= c i,k c =>- C /. This 
is true for essentially the same reasons that \= c i,k n 1 — ► k k'sn i — > k'sm. On the 
other hand, \= c i,k c =>- <f> c i does not hold if \K\ > 2 (and, in particular, if K is infinite). 
It easily follows that r c > is not derivable from {c}. Additional derivation rules would be 
necessary to allow this derivation. 

With a little more effort, examples like this can be given as long as K is finite. That 
is, if K is finite, then there exist finite sets C C C(K, N, A) and Cr Q Cr(K, N, A) 
and a naming certificate c such that \= c i,k (/\c>ecuc R c ') =>• 0c, but r c cannot be derived 
from Tuples(C, Cr) using RO, Rl, R2', R3', R4. Nevertheless, these reduction rules are 
"almost" complete. We show that, for any fixed set C C C + (K, N, A), as long as \K\ > 
\C\ + |c|, then for all sets Cr, we have \= c i,k (/\c'£Cuc r c ') =^ 0c iff Tuples(C, Cr) — >l c. 
(Here |c| denotes the length of the certificate c as a string of symbols, and \C\ denotes 
the sum of the lengths of the certificates in the finite set C.) 

Theorem 5.6: If c is a certificate, C is a finite subset of C, Cr is a finite set of CRLs, 
\K\ > \C\ + \c\, and \= c ,k (Ac'ecuc^ c ') =^ 4>c, then Tuples(C, Cr) — >\ r c/ "moreover, 
if c is a point-valued certificate, then Tuples(C, Cr) — >\ r c r for some certificate c' 
subsuming c. 

Proof: See the appendix. | 

Basically, Theorem [5l] says that, by using R2', R3', and R4 in the tuple reduction 
rules, we can derive all conclusions about certificates, provided that K is not "small" , in 
the sense that \K\ < \C\ + |c|. This proviso is not at all unreasonable. The set K is, after 
all, intended to model the collection of potential public keys being used by the principals. 
In order for such a set of keys to be secure for signatures and encryption, it needs to be 
a very large set, so as to render brute force attacks on encrypted messages impractical 
(i.e., the key length needs to be large enough). By contrast, C models a set of certificates 
generated by the principals and presented in a particular authorization request, and c is 
a particular certificate. We do not expect the size of these to be of the same order of 
magnitude as K, so we would expect that \K\ < \C\ + |c| will hold in practice. Another 
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way to think about things is to understand K as modelling the set of all keys that could 
ever be used, if we allow the key length to be made arbitrarily large. In this case K is 
an infinite set, so we immediately have that \K\ < \C\ + |c|. Thus, in a precise sense, 
the rules RO, Rl, R2', R3', and R4 together give us all interesting conclusions about 
certificates. 



6 Related Work 



As mentioned in the introduction, there have been a number of other recent approaches 
to giving semantics to SPKI. In this section, we compare these approaches to ours. 



Howell and Kotz (2000) give a semantics to names that closely resembles the semantics 



of Abadi (|1998|) . In particular, a name is associated with a relation on possible worlds, 
rather than a set of keys as is the case in our semantics. We criticized Abadi's semantics 
in our earlier paper ( Halpern and van der Meyden 200l| ); many of our criticisms apply to 
the Howell-Kotz semantics as well. Perhaps most significantly, the semantics for name 
binding (as Howell and Kotz themselves say) is rather opaque; it is hard to explain 
exactly what the meaning of the relation on worlds is. Their logic also uses a "speaks- 
for" relation p =^> q, where p, q are principal expressions, to capture both the binding 
relationship between names (similar to our use of i — >) and the notion that q has delegated 
certain rights to p. As we argued in ( [Halpern and van der Meyden 200TD , we believe that 
these are distinct notions that should be modeled using different constructs. Indeed, 
Howell and Kotz themselves note that their axiom 



p =^ q D p'sn =>• q'sn 



is "suprisingly powerful" and needs to be "tempered", particularly when one considers 
the related notion "speaks for on topic T" . In our logic, the formula 

p i — > q =^> p's n i — > q's n 

is valid, but this is not a problem for us, since we do not interpret "i — as "speaks-for" . 

Just as we do, Howell and Kotz translate SPKI certificates to formulas in their logic. 
There seem to be some problems with their translation, although there are not enough 
formal details in the paper for us to be really sure that these are in fact problematic. 

• To capture the difference between just being given permission to perform an action 
and being given permission to delegate authority to perform the action, they split 
a real principal k into two principals k u and k b ; k b is supposed to deal with the 
situation where k can delegate authority, while k u is supposed to deal with the 
situation where k cannot delegate authority. There is no formal semantics given to 
k n and kj,, so it is not clear (to us) the extent to which this approach works. 
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• Their approach to dealing with time seems to involve talking about time explicitly 
in the formula. But there is no type corresponding to time in the semantics, so 
there is nothing to connect the statements about time to the actual time. Again, 
since the discussion of how time is handled is quite informal (with no examples), it 
is hard to tell how well it will work. 



Howell and Kotz do claim that their semantics is sound with respect to tuple reduction; 
there is no discussion of completeness. 

Aura (p. 998|) defines the notion of a delegation network, which is essentially a graphical 
description of a collection of certificates. Although he does not have a formal logic to 
reason about authorization, given a delegation network DN, he does define a relation 
authorizesDjq{ki, k 2 , a), which can be read as "kx authorizes k 2 to perform a". Given 
a collection of SPKI certificates, Aura defines a corresponding authorization network 
DN and obtains a certain type of soundness and completeness result for reduction. 
Very roughly speaking, given a collection of certificates with corresponding delegation 
network DN, authorizes dn(^-i, k 2 , a) holds iff there is a sequence of delegation networks 
DNi, . . . , DN m such that DNi + \ is obtained from DNi by certificate reduction in a precise 
sense and in DN m there is an explicit certificate issued by kx authorizing k 2 to perform 
a. This is not a soundness and completeness result in the logical sense that we have here, 
although it provides what can be viewed as an operational semantics for the SPKI 5-tuple 
reduction rule Rl. One of the main differences from our work is that, where we deal with 
principal expressions, Aura's framework deals with an explicitly given set of keys; there 
is nothing in his paper that corresponds to our discussion of name reduction. Aura also 
does not seem to have time or revocation in his framework, nor does he consider the 
delegation bit. On the other hand, he does deal with threshold principals (as do Howell 
and Kotz), while we do not. 

Li (|2000| ) has also considered the semantics of SPKI/SDSI. He presents a logic pro- 
gram, and provides results showing that this program derives the same set of concrete 
conclusions about SDSI names as 4-tuple reduction and SDSI's name resolution pro- 
cedure REF ( |1996| ). He also provides an extension of the logic program intended to 
capture concrete conclusions about authorization certificates. However, he also does not 
explicitly treat timing and revocation, as we have done, and does not consider general 
reasoning such as that captured by our rules. On the other hand, he does discuss thresh- 
old subjects, which we have not treated. Another approach to formally capturing SPKI's 
semantics is presented by Weeks ( |2001| ) as an example of a more general framework for 
trust management in a functional programming style. This work does not attempt to 
prove any correspondence with the tuple reduction rules. 

Also related to our results in this paper is the work of Clarke et al. ( |Clarke, Klien 



Ellison, Fredette, Marcos, and Rivest 2001|) , who consider the problem of discovering 



"certificate chains", i.e. proofs that a given set of certificates entails a given concrete 
certificate. Our notion of derivation " — >q" is similar to their notion of "name-reduction 
closure", and Theorem is closely related to a result they state (Theorem 1) concern- 
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ing the completeness of the name reduction closure. They do not explicitly take time 
and revocation into account, as we have done, and they also do not consider the more 
general sorts of consequences we have discussed. On the other hand, they do character- 
ize the computational complexity of the certificate chain discovery problem for concrete 
certificates, whereas we have not discussed the complexity of the inference problems we 
treat. We are currently examining the complexity of certificate chain discovery in our 
more general setting. 



7 Discussion 

In this paper, we have given a semantics for SPKI certificates independent of the se- 
mantics given in terms of tuple reduction in the SPKI documentation ([Ellison. Frantz. 



Lampson, Rivest, Thomas, and Ylonen 1999a|; |Ellison, Frantz, Lampson, Rivest, Thomas" 



and Ylonen 1999b|) . This allowed us to examine the extent to which the SPKI tuple re- 



duction rules are complete. The SPKI documents are ambiguous as to the purpose of the 
tuple reduction rules, and conflates their use for purposes of semantics, making concrete 
authorization decisions, and general reasoning (e.g., generating "certificate result certifi- 
cates"). We have carefully separated the three concerns here, and have shown that the 
relations between them are somewhat subtle. In particular, we have shown that extra 
reduction rules are needed in order to do general reasoning about certificates. Our main 
technical results show that, in a precise sense, the reduction rules given in the SPKI doc- 
ument are complete with respect to concrete certificates; adding a few more rules gives us 
an "almost" complete system with respect to general reasoning about certificates. This 
"almost completeness" result seems to be the best we can do without having rules that 
take into account the cardinality of the set of keys. 

We need to be careful about the interpretation of the conclusions for which we have 
shown the tuple reduction rules to be complete. The form of conclusion associated with 
the tuple reduction rules is \= c i (/\ c 'ecvjc R c ') => 0c, where C has the form now e V =>- 0' c 
(with the exact form of 0' c depending on the type of certifcate that c is) . This states that 
0' c holds for all times in V at which additionally, all the certificates in C U Cr have been 
issued. Consider the certificate c = (cert k n k' [0, 10]). According to our semantics, 
if c G r(5), (i.e., this certificate is issued at time 5), and no other certificates are issued in 
r, then k'sn i — ► k' holds in r during the interval [5, 10], but not during the interval [0, 4]. 
On the other hand, the tuple reduction rules (trivially) allow the derivation of the tuple 
(k, n, k', [0, 10]), which suggests that k'sn i — > k' also holds during the interval [0, 4].Q 

Whether this difference matters depends on the use that is made of derived tuples. For 



14 We have followed the SPKI definitions closely, but we remark that we could modify the definition of 
the tuple generated by a certificate and a CRL: if c has validity interval [ti, and the computation is 
done at to, then we redefine the interval in r(c, Cr) to be interval [max(to, t%), t2]- All our completeness 
results would go through with this change, and it would result in a better match between our semantics 
and the tuple reduction rules. 
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conclusions about the current time, the difference does not matter, since agents will only 
be making authorization decisions based on c after the time at which c is issued, i.e., after 
time 5. However, for conclusions requiring reasoning about the past, the difference may 
be an issue needing careful consideration. (Such reasoning occurs in proposals by Rivest 
( |1998| ), Stubblebine ( |1995| ), and Stubblebine and Wright ( |1996| ) that involve authorizing 
an action when the latest time for which the existence of a right to perform that action 
can be proved is "sufficiently recent" . Another example where reasoning about the past 
may be important is where an auditor is verifying that an authorization decision made 
in the past was justified by certificates issued at the time of the decision.) As it does not 
appear that reasoning about the past was a significant concern in the design of SPKI, we 
do not pursue this further here. 

Another contribution of this paper is to show that nonmonotonic logic is not required 
in a logical modeling of revocation if one takes the SPKI perspective that revocation is 
not a change of mind but a revalidation. (This viewpoint is supported by the text in 
( |SPKI Working Group 1998 , Section 5.2): "The CRL is ... a completion of the certificate, 
rather than a change of mind.") The logic of this paper, like our earlier logic LLNC for 
SDSI, is monotonic. This does not prevent some aspects of its semantics from behaving 
nonmonotonically. In particular, L(k, n, t) may decrease as t increases if, for example, 
a certificate is revoked at time t' > t that was not revoked at time t or if the validity 
interval of a certificate passes. Similarly, the set of actions a principal is permitted to 
perform may decrease over time. Note also that the semantics does not require that if 
a certificate appears on a CRL then it will also appear on all later CRLs issued during 
the certificate's validity interval.0 All of these types of "nonmonotonic" behaviour are 
entirely consistent with the monotonic logic we have developed. 

We have focused on the SPKI reduction rules. However, we feel that the logic Cspki 
will be useful for more general reasoning about names and authorization in SPKI than 
just whether a particular principal is authorized to perform some actions. For example, 
we may want to know which principals are authorized to perform a certain action, which 
actions a principal is allowed to perform, which principals are bound to a particular name, 
and which names have a particular principal bound to them. In ( Halpern and van der| 
Meyden 200 1|) , we showed how we could translate queries about names (like the last two) 
into Logic Programming queries, allowing us to take advantage of the well-developed 
Logic Programming technology for answering such queries. We believe that it should be 
relatively straightforward to extend the translation so that it can handle more general 
SPKI queries. It also seems useful to try to obtain a sound and complete axiomatization 
for the full logic Cspki- 

We believe that it should not be difficult to get such a complete axiomatization, using 
ideas from our earlier paper on SDSI, but we have not pursued this question. We have 
also not considered a number of features of SPKI, like threshold subjects and the precise 

15 Although it does not appear to have been noted by the authors of SPKI, this allows CRLs to be 
used to obtain temporary suspensions. 
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syntax of SPKI's tags (authorization expressions). It seems that our approach should be 
extendible to handle these features, but we have not checked any details. 



A Appendix: Proofs 



Proposition |4.3| : For every run r, there exists a unique (K, N, Act) interpretation 



minimal in the set of (K, N, Act) interpretations consistent with r. 

Proof: Let X r consist of all interpretations consistent with r. X r is nonempty, since 
the maximal interpretation is clearly consistent with r. Given an interpretation ir, let 
L n denote the L component of tt and let P n denote the P component of ir. Define an 
interpretation tt by taking L 7ro (k, n, t) = fl 7re j r L 7r (k, n, t) and taking P 7ro (ki, t, k 2 , a) = 
min^ e j r P 7r (k 1 , t, k 2 , a). We now show that tt is the minimal element of X r . 

Clearly ttq < ir for all tt G X r . Thus, we must only show that ttq G X r . First we 
must show that for all naming certificates c = (cert k n p V (k r )) in U t '<t '"(t / ), 
if t G V and c is applicable at t in r, then [n]^ 5 [p]i T0 ,k,t- By definition 
[ n ]i^- ,k,t = nTrgXrJnJ^^t. Moreover, since each tt G X r is consistent with r, we have that 
Hji^k.t 3 [p]^,k,t for tt G X r . It follows immediately that [n] L7ro>kjt = n neIr lnj Lw ^ t D 
n7rez r [plL T> k,t- Thus, it suffices to show that n w6 ^.|p]r w ^,t 2 [pli T0 ,k,t- This follows 
by an easy induction on the structure of p. For the base case, as we have already ob- 
served, we have equality; for the general case the argument is almost immediate from the 
definition.^] 

Next we must show that P 7TQ is indeed a permission/delegation assignment, that is, 
that if P 7ro (k 1 , t, k 2 , a) = 2 and P 7ro (k 2 , t, k 3 , a) = i, then P 7ro (k 1 , t, k 3 , a) > i. But if 
P wu (k a ,t,k 2 ,a) =2andP 7ro (k 2 ,t,k 3 , a) = i, then P 7r (k 1 , t, k 2 , a) = 2 and P 7r (k 2 , t, k 3 , a) > 
i for all tt G X r . Thus, P 7r (k 1 , t, k 3 , a) > i for all n G X r , so P 7ro (k 1 , t, k 3 , a) > i. 

Finally, we must show that P 1TQ satisfies the second requirement of consistency. So 
suppose that c = (cert k p D A V (k r )) is an authorization certificate in U t '<t r 
t G V, and c is applicable at t in r. Then for all tt G X r , for all a G a^(k), and all keys 
k ' € [pkx,k,t, we have 

1. P w (k,t,k',a) > 1, 

2. if D = true then P 7r (k, t, k', a) = 2. 



As we observed earlier, if k' G [p]i T0 ,k,t; then k' G [p]zr w ,k,t f° r a ll ^ e ^r- Thus 
P 7r (k, t, k', a) > 1 for 7r G X r , so P 7ro (k, t, k', a) > 1. Moreover, if D = true, thei 
P,r(k, t, k', a) = 2 for n G X r , so P^k, t, k', a) = 2. This completes the proof. I 
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We remark that this is a significantly simpler proof than that given for the analogous minimality 



result for SDSI in our earlier paper (Halpern and van der Meyden 2001, Theorem 3.1). 
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We next prove the completeness results (Theorems 5^2 and 0). To do this, we need 
some preliminary definitions and results. 

Rules R2 and R3 are very similar in the way that they transform principal expressions. 
For the completeness proofs, it is convenient to capture the commonalities by introducing 
a new type of tuple that we call a 3-tuple. A 3-tuples has the form (p, q, V) where p, q 
are fully qualified principal expressions and V is an interval. Intuitively, this tuple says 
that p is bound to q during the time interval V. 

We have the following rules for reasoning about 3-tuples: 

R5. — ► (p, p, [0, oo]) for all fully qualified principal expressions p. 

R6. if foki'sn'scbVi) + (ki,n,k 2 ,V 2 ) -> (p, k 2 'sq, Vi D V 2 ). 

R5, like R0, is essentially an axiom. R6 is somewhat in the spirit of R2, in that the 
third component of the 4-tuple is a key, rather than an arbitrary full qualified name. R6' 
extends R6 in much the same way that R2' extends R2. 

R6'. if (p,k 1 'sn'sq,V 1 ) + (k 1 ,n,r,V 2 ) -> (p, r's q, V : n V 2 ). 

We abuse notation somewhat and continue to write T — >q t (resp., T — ►* r) if r 
can be derived from T using the rules R1-R3, R5, and R6 (resp., R0, Rl, R2', R3', R5, 
R6'). The following two propositions collect the key properties of 3-tuples. 

Proposition A.l: Suppose that i G {0,1}. If T is a set of 4- and 5-tuples such that 
T — >l (p, q, Vx), then 

(a) if T — >J (k, n, p, V 2 ) then T — (k, n, q, V x fl V 2 ); 

(b) ifT — (k, p, D, A, V 2 ) then T — ►? (k, q, D, A, Vi n V 2 ); 

(c) if T — >J (p', p, V 2 ) then T — >J (p', q, Vi n V 2 ) . 

Proof: By a straightforward induction on the length of the derivation of T — >* (p, q, Vi). 
I 



Proposition A. 2: Suppose that i G {0, 1}. For all fully qualified names p, q and local 
names n ; we have T — >* (p, q, V) iff T — ►* (p's n, q's n, V) . 

Proof: Again, by a straightforward induction on the length of the derivation of T — >* 

(p,q,Vi>- ■ 

For convenience, we treat 3-tuples as certificates. For the 3-tuple c = (p,q, V), we 
take t c = c and define <p c to be the formula now G V =^> p i — > q. This formula captures 
the intuition that the 3-tuple is essentially saying that p is bound to q. 

The following theorem, whose proof is just like that of Theorem |5.3| , says that — 
(and hence — continues to be sound in the presence of the rules for 3-tuples. 
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Theorem A. 3: Suppose that C is a finite subset ofC, Cr is a finite set of CRLs, and c is 
either a certificate in C or a 3-tuple. If Tuples (C, Cr) — ►* t c , then \= c f Ac'eCuC^ c ') =^ 
C . In fact, if it is an interpretation consistent with a run r and Tuples (C,Cr) — >* t c , 
then r,7i \= (A C 'ecuc fl c ' 



With this background, we are ready to prove Theorem [5T 



Theorem |5.2| : If c is a concrete certificate, C is a finite subset of C, Cr is a finite set 
of CRLs, and |= c (/\ c 'eCuc R c ') =^ 4>c, then there exists a certificate c' that subsumes c 
such that Tuples(C, Cr) — >q t c >. 

Proof: We prove the contrapositive. Suppose that there does not exist a certificate d 
that subsumes c such that Tuples (C, Cr) — >q t c >. We show that it is not the case that 
He (Ac'ecuc R c ') =>- 0c by showing that there is a run r such that r, k, t |= c A c 'ecuc R c ' 
for all times t but r, k, to \/= c <Pc where to is the time in the concrete certificate c. 

Construct r as follows: define r(0) = C U Cr and r(n) = for all n > 0. Clearly 
r, k, t \= c Ac'ecuc R c> f° r a ^ times t. To show that r, k, t \t= c <p c , we need to identify the 
minimal interpretation consistent with r. Consider the interpretation n = (L, P) defined 
as follows: 

1. L(k, n, t) is the set of keys k' such that Tuples(C, Cr) — >q (k> n ) k', V) where t 6 V. 

2. P(k, t,k', a) = 2 if Tuples(C, Cr) — >q (k> k', A, true, V) for some action expres- 
sion A with a e 04(A) and t G V; P(k, t,k', a) = 1 if Tuples(C, Cr) — >* 
(k, k', A, false, V) for some A with a G o^(A) and t G V and it is not the case 
that Tuples (C,C R ) — >* (k, k', A', true,Y) for some A' with a G o^(A') and t G V; 
and P(k, t, k', a) = otherwise. 

We must check that P is a legimitate permission/delegation assignment. In partic- 
ular, suppose that P(ki, t, k 2 , a) = 2 and P(k 2 , t, k 3 , a) = i > 1. We must show that 
P(ki,t,k 3 ,a) = i. Since P(ki,t,k 2 ,a) = 2, Tuples(C, C R ) — >* (k 1; k 2 , Ai, true, Vi) 
for some Ax with a G 0,4 (Ax) and some Vx containing t. Similarly, we must have that 
Tuples(C, Cr) — >q (k 2 , k 3 , D 2 , A 2 , V 2 ) where t G V 2 , for some A 2 with a G o^(A 2 ), some 
D 2 such that if % = 2 then D = true, and some V 2 containing t. Using Rl, it follows that 
Tuples(C, C R ) — >* (ki, k 3 , D 2 , Ai fl A 2 , Vi fl V 2 ). Since a G a^(Ai fl A 2 ) and t G Vi n V 2 , 
it follows that P(ki,t,k 3 , a) > i, as desired. 

Next we must show that this interpretation is the minimal one consistent with r. We 
first establish that it is consistent. Thus, we must show that the formulas associated with 
naming and authorization certificates are satisfied in r. To do this, we use the following 
lemma. (This lemma was our main motivation for introducing 3-tuples.) 

Lemma A. 4: J/p is a fully qualified principal expression, then k' G [p]L,k,t iff 
Tuples (C, Cr) — >q (P) k', V) for some interval V containing t. 
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Proof: We proceed by induction on the structure of p. If p is a key k' then, by def- 
inition, [k'] Ljk)t = {k'}. By R5, Tuples (C, C R ) — >* (k' ; k', [0, oo]). For the converse, 
note that a straightforward induction on the length of the derivation shows that if 
Tuples (C,C R ) — >* (k',q,V), then q = k' and V = [0,oo]. 

For the inductive step, suppose that p = q'sn. We first suppose that k' G [p]k,L,t> 
and show that Tuples (C, Cr) — >q (p, k',V) for some interval V containing t. By defi- 
nition of [p]L,k,t, there exists ki G [q]L,k,t such that k' G L(kx,n, t). By the inductive 
hypothesis, we have Tuples(C, Cr) — >q (q, ki,Vi) for some interval Vi containing t. By 
Proposition |A.2|, it follows that Tuples (C, Cr) — >q (q'sn, ki'sn, Vi). By definition of L 



and the fact that k' G L(k 1; n, t), we have Tuples(C, Cr) — (ki,n, k', V2) for some V 2 
containing t. By R6, it follows that Tuples(C, Cr) — >q (q'sn, k', V x fl V 2 ). This is what 
we need, since t G Vi fl V 2 . 

For the converse, suppose that Tuples (C, Cr) — >q (p,k',V) for some interval V con- 
taining t. We must show that k' G [p]i,k,f Since Tuples(C, Cr) — >q (p,k',V) and 
p = q'sn, it follows that there must be some key ki such that Tuples (C, Cr) — >q 
(p,ki'sn,Vi) and Tuples (C, C R ) — >* Q (k x , n, k', V 2 ), where V = Vi n V 2 . By the defini- 
tion of L, we have that k' G L(k 1; n, t). Since Tuples(C, Cr) — (q'sn, kx'sn, V m _x), 
by Proposition |A.2| , we also have Tuples(C, Cr) — >q (q, k 1 ,V m _ 1 ). By the induction 
hypothesis, it follows that kx G [qji^t- It is now immediate that k' G [pji^t- I 

Continuing with the proof of the theorem, recall that we must show that the for- 
mulas associated with certificates issued in r are satisfied in r. Suppose that c = 
(cert k n p V (k r )) is a naming certificate in U t '<t r(t') that is applicable in r at 
time t G V. We need to show that [n]i )kjt ^ [p],L,k,t- For this, note that either k r is not 
present in c and and r(c) = (k, n, p,V), or there exists a CRL G Cr with respect to 
which c is live and r(c, cr) = (k, n, q, V'), where again t G V. In either case, it follows 
that Tuples (C, Cr) — >g (k, n, p, Vi) for some Vi containing t. 

We now want to show that if Tuples(C, Cr) — >q (k, n, p, Vx), then [n] ijk)t D [p]z,,k,t- 
Suppose that k' G [p]i,k,t- By Lemma pO] , we have that Tuples(C, Cr) — ^ (p, k', V 2 ) 
for some V 2 containing t. Since Tuples (C, Cr) — >q (k, n, p, Vi), by Proposition |A.1| , it 



follows that Tuples(C, Cr) — >q (k, n, k', Vx fl V 2 ). Using the definition of L, it follows 
that k' G [n]i )kjt , as desired. 

Next, suppose that c = (cert k p D A V (k r )) is an authorization certificate in 
U t /< t r(t / ) that is valid in r at time t G V. As in the case of naming certificates, it follows 
that there is some interval Vx such that t G Vx and Tuples(C, Cr) — *-q (k, p, D, A, Vx). 
Suppose that k' G [p]i,k,t- By Lemma |A.4| , Tuples(C, Cr) — >q (p, k',V 2 ) for some V 2 



containing t. By Proposition ITTT] Tuples (C, C R ) — >* Q (k, k',D,A, V x H V 2 ). From the 
definition of P, it follows that 

r, 7r, k, t |= Perm(k, p, A) A (D =>- Del(k, p, A)), 

as required. 
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To see that (L, P) is in fact the minimal interpretation consistent with r, suppose 
that tt' = (L r , P') is another interpretation consistent with r. We need to show that 
7i < tt'. We first show that L < L'. Suppose that k' G L(k, n, t). By definition of L, 
Tuples(C, Cr) — >q (k, n, k',V) for some interval V containing t. Since tt' is consistent 
with r, by Theorem |A.3| , 




r,7r'|=| A c' I =>• (now G V =>• k'sn i — s-k'). 



Moreover, we have that r, 7r', k, t |= A c 'ecuc R c '? by defintion of r. Since t G V, it follows 
that r, 7r',k, t |= k'sn i — ► k', so k' G L'(k, n, t). Thus, L < V . The argument that 
P < P' is very similar, and is left to the reader. 

It remains to show that r, k, t \/= c <f) c . To see this, suppose first that c is a naming 
certificate such that r c = (k, n, k', [t , t ]). Since c is not subsumed by any 4-tuple deriv- 
able from Tuples (C, Cr), it is immediate from the definition of L that k' (jL L(k, n, to). 
From this it follows that r, tt, k, t ^ c <p c - The argument for authorization certificates is 
similar. | 

We now prove Theorem |5.6| . 
Theorem |5.6| : If c is a certificate, C is a finite subset of C, Cr is a finite set of 
CRLs, and \K\ > \C\ + \c\, and \= c ,k (Ac'gcuc^ c ') =^ 'Pc, then Tuples (C, Cr) — >?, 
r c ; moreover, if c is a point-valued certificate, then Tuples (C, Cr) — >l t c > for some 
certificate c' subsuming c. 



Proof: The proof proceeds much in the same spirit as the proof of Theorem |5.2| , using 
3-tuples. Suppose that it is not the case that Tuples (C, Cr) — >2 T c ( or it is not the 
case that Tuples (C, Cr) — >l r c , in the case that c is a point- valued naming certificate). 
Again the idea is to construct a run r such that r, k, t \= c A c 'ecuc R c ' f° r an times t and 
that r, k, to ^= c <fi c for some time to- The construction of r is somewhat more complicated 
than in the case of Theorem |5.2| . 

Given a principal p, let C7(p) be the smallest set S 1 of principal expressions containing 
p, such that if p'sn G S' then p G S' . It is easy to see that |C7(p)| < |p|, where |p| is 
the length of p viewed as a string of symbols. If C is a set of certificates, let Cl(C) 
be the union of C7(p), for all the principal expressions p that appear in a certificate 
in C as well as the principal expressions k'sn for 4-tuples (k, n, q, V) in C . Again, it 
should be clear that \Cl(C')\ < \C'\. We will be interested in the set S = Cl(C U {c}) 
of pricipal expressions. Note that since we have assumed that \K\ > \C\ + \c\, it follows 
that \K\ > \S\. 

Let T be the set of time points containing 0, oo, and the left and right components of 
each interval in CUCr. Note first that only a finite number of intervals V can appear in a 
tuple (p ,q ,V) generated from Tuples (C, Cr), since every interval in a tuple generated 
has both left and right components in T. Hence, T is finite. Let V be the set of all point 
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intervals [t,t] where t G T — {oo}, together with all intervals [ti + l,t 2 — 1] such that 
ti, t 2 G T, ti < t 2 and for no t G T do we have ti < t < t 2 . (We take oo — 1 = oo). 
Note that the intervals in V are pairwise disjoint and span IV. Moreover, if V is the 
validity interval of a tuple derivable from Tuples (C, Cr) and W G V, then either Vfl W = 
or V D W. Finally, note that V is finite, since T is. 

For each interval W G V, define the equivalence relation « w on S 1 by pi ~ w p 2 if both 
Tuples (C,Ch) — >J (pi,p 2 ,V) for some V' D W and Tuples (C, C fl ) — ►£ (p 2 ,pi,V") for 
some V" D W. We write [p] w for the equivalence class of ~ w containing p. 

Let X be a set of keys in K of cardinality \S\. For each interval W G V and equivalence 
class x of ~ w , choose a key k^y in X in such a way that if x ^ y, then k x V ^ k y W . Without 
loss of generality, we may assume that k[ k ] w W = k for each key k G S. (Note that [k] w = {k} 
since, as we observed earlier, if Tuples (C, Cr) — >* (k, q, V), then we must have p = k.) 
For ease of exposition, we write k pW rather than k[ p ] WjW . 

Consider the run r where no certificates are issued after time and r(0) consists of 
the following certificates: 

1. all certificates in C U Cr, 

2. for each W G V, principal expression of the form p'sn in S, principal expression 
q G S such that Tuples(C, Cr) — >* (p'sn, q, V') for some V' D W, the naming 
certificate (cert k pW n k qjW W), 

3. for each W G V, principal expression q G S, and key k G S such that Tuples (C, Cr) — 
(k, q, D,A, V') for some V' D W, the authorization certificate (cert k k qW D A W). 

Note that this is a finite set of certificates since W and S are a finite sets. 

We now construct an interpretation 7r = (L, P) consistent with r. For t G IV, 
let W(t) be the unique interval in V containing t. Define L(k, n, t) = unless k is 
k P)W (t) for some principal expression p; L(k PiW(t) , n, t) = {k qiW(t) : Tuples (C, Cr) — >l 
(p'sn, q, V), V' D W(t)}. L(k PjW ( t ), n, t) is well defined since, if p' ~ W (t) P, then by Proposi- 
tion^]!, (p')'sn R% (t) p'sn, hence Tuples (C,C R ) — >l (p'sn,q,V) iff Tuples (C, Cr) — >\ 
((p')'sn, q, V'). Similarly, P(k, t,k', a) = unless k' is k q w( t ), for some principal ex- 
pression q. If Tuples(C, Cr) — >q (k, q, true, A, V), where a G 0.4(A) and V D W(t), 
then P(k, t, k q)W ( t ), a) = 2; if Tuples(C, Cr) — >q (k, q, false, A, V), where a G au(A) and 
V D W(t) and it is not the case that Tuples (C, Cr) — >q (k, q, true, A', V') for some A' such 
that a G a^(A') and V D W(t), then P(k, t, k qjW ( t ), a) = 1; otherwise, P(k, t, k qiW ( t ), a) = 0. 

We want to show that tt is the minimal interpretation consistent with r. We first 



need an analogue of Lemma |A.4 . 



Lemma A. 5: For all p G S, keysk, and times t, [p]L,k,t = {k q ,w(t) : q G S", Tuples(C, Cr) 
(p,q,V), V'DW(t)}. 
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Proof: We proceed by induction on the construction of p. If p is a key or an expression 
of the form k'sn, the claim follows trivially from the definitions. Note we cannot have 
p = n for a local name n, by the construction of S. So suppose that p has the form q'sn. 
We first show that if k' G [q'snji^t, then there exist r G S and V' ~D W(t) such that 
k' = kr,w(t) and Tuples (C, Cr) — >l (q'sn, r, V'). By definition of [q's nj^t, we have that 
k' G L(k", n, t) for some key k" G [q]i t k,t- By the induction hypothesis, there exists qi G S 
such that k" = k qi)W(t) and Tuples(C, C R ) — >l (q, qi,V) for some V D W(t). It follows 
from Proposition [A.2| that Tuples(C, Cr) — >* (q'sn, qi'sn, V'). By definition of L, since 
k' G L(k qi)W (t), n, t), there exists a principal expression q 2 such that Tuples(C, Cr) — ►* 
(qi'sn, q 2 , V"), where V" D W(t) and k' = k qa W ( t ). By Proposition |A.1| , it follows that 



Tuples(C, C R ) — >{ (q's n, q 2 , V fl V"). Since V n V" D W(t), we are done. 

For the converse, suppose that Tuples(C, Cr) — ►* (q'sn, r, V'), where r G S and 
V D W(t). Since Tuples (C, Cr) — (q, q, [0, oo]}, we have that k q)W(t) G [q]L, k , t , by 
the induction hypothesis. Moreover, by definition of L, we have k r W ( t ) G L(k qW ( t ), n). It 
follows that k riW ( t ) G [q's n] Ljk ,t- | 



We use Lemma [A.5| to show that ir is consistent with r. Consider a naming certificate 



c = (cert ki n p V x (k r )) G C that is applicable at time t G Vi. Either c is irrevoc- 
cable, or there exists a CRL c' in r(0) with validity interval V 2 such that t G V 2 and 



c is live with respect to c'. As in the proof of Theorem |5.2| , in either case, there is an 
interval V' C Vi containing t such that Tuples (C, Cr) — >q (ki, n, p, V'}. Since t G Vi, we 
must have V D W(t). By R5, Tuples (C, C R ) — >\ (ki'sn, ki'sn, [0,oo]) so, using R6', it 
follows that Tuples(C, Cr) — ►* (ki'sn, p, V'). Now if k 2 G [pji^i.t, then by Lemma |A.5| , 
k 2 = kq,w(t) f° r some q G S such that Tuples(C, Cr) — ►* (p, q, V"), where V" D W(t). 
It follows from Proposition |A~l|(c) that Tuples (C, Cr) — >\ (ki'sn, q, V n V"). Since 
V' fl V" D W(t), it follows from the defintion of L that k 2 = k qW ( t ) G [n]i )klit , as required. 

Next, consider certificates of the form (cert k p W n k qW W), where W G V, p'sn, q G 
S, and Tuples(C, Cr) — (p'sn, q, V') for some V' D W. Since such certificates are 
irrevocable, they are always applicable. If t G W, we have [n] L kpH t = L(k p W ,n, t) D 
{k q ,w} = [k q ,w]L,k p ,„,t by construction. 

Next, suppose that c = (cert k p D A V (k r )) is an authorization certificate in C 
that is applicable in r at time t G V. As in the case of naming certificates, it follow 
that there is some interval Vi such that t G Vi and Tuples(C, Cr) — >* (k, p, D, A, Vi). 
Suppose that k' G [p]z,,k,t- By Lemma |A.5| , k' = k qjW ( t ) for some q G S such that 



Tuples (C, Cr) — >l (p, q, V 2 ) for some V 2 D W(t). By Proposition |A.1| , it follows that 



Tuples (C,C R ) — >* (k, q, D,A,Vi n V 2 ). From the definition of P and the fact that 
k' = k q w(t), it follows that 



r,vr, 



k, t |= Perm(k, k', A) A (D =>• Del(ls., k', A)), 



as required. 

Finally, consider an authorization certificate in r(0) of the form (cert k k q W D A W). 
By definition, Tuples(C, Cr) — >l (k, q, D,A, V') for some V' D W. Again, it is immediate 
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from the definition of P that 

r, it, k, t |= Perm(k, k qiW , A) A (D => £>e/(k, k qiW , A)). 

This completes the proof that tt is consistent with r. 

To show that tt is the minimal interpretation consistent with r, suppose that tt 1 = 
(L',P'). Suppose that k' G L(k, n, t) and let W = W(t). Then there exist principal 
expressions p and q such that k = kp,w(t)j k ; = k qiW and Tuples {C, Cr) — >\ (p'sn, q, V') 
for some interval V' D W. Thus, r(0) contains the certificate (cert k Pjtf n k qjtf W). This 
implies that if tt' = [LI , P') is another interpretation consistent with r then we must also 
have k' G L'(k, n, t). A similar argument works in the case of P. Thus, tt is the minimal 
interpretation consistent with r. 

It remains to show that r, k, to <f) c for some choice of to- If c is a point- 
valued certificate such that r c = (k, n, p, [to, to]), then since it is not the case that 
Tuples(C, Cr) — >2 r o ^ is also not the case that Tuples(C, Cr) — >\ (k'sn, p, V) for 
any interval V containing to- (Otherwise, from Proposition |A.1| , we would be able to use 
RO and R4(a) to derive r c .) Hence, by Lemma [A.5| , it follows that k P)W ( t0 ) ^ L(k, n, t ). 
Of course, we do have (using RO) that k PiW(to) G [p]x,k,t - Thus, r, k, t \£ c C - 

Next, suppose that c is an arbitrary naming certificate, with r c = (k, n, p,V). Let 
V consist of all intervals V G V such that Tuples (C, C R ) — v\ (k'sn,p,V). V is finite, 
since V is. Moreover, it cannot be the case that V C UV', for otherwise, using R4(a) and 
RO, it would follow that Tuples(C, Cr) — T c- Choose t G V — UV'. It follows just as 
above that r, k, t ^= c <p c . 

Finally, suppose that c is an authorization certificate, with r c = (k, p, true, A, V). 
(The argument is similar if true is replaced by false.) We claim that there must be 
some time t and action a G 04(A) such that for no interval V' containing t and A' 
such that a G 04 (A') is it the case that Tuples(C, Cr) — (k, p, true, A', V'). It follows 
from the claim that P(k, t , k PiW , a) 7^ 2, so r, k, t \/= c 4>c- This completes the proof of 
the theorem. For the proof of the claim, suppose, by way of contradiction, that for all 
t G V and all actions a G 04(A), there exists an interval V tia containing t and an action 
expression A t a such that a G 04(A t a ) such that Tuples(C, Cr) — >\ (k, p, true, A t a , V t>a ). 
Note that there are only finitely many time intervals V and action expressions A' such 
that Tuples {C, Cr) — >\ (k, p, true, A', V'). For each a G 04(A), let A a be the intersection 
of all the action expressions A ajt for t G V. Since this is a finite intersection, A a G A. 
Moreover, even if 04(A) is infinite, the number of distinct sets A a is finite. By R4(c), for 
each t G V, we have that Tuples(C, Cr) — >2 (k> P, true, A a , V t a ). Since the union of the 
sets V t)a contains V, and there are only finitely many such sets, by R4(b) it follows that 
Tuples(C, Cr) — >2 (k> P; true, A a , V). Finally, since 04(A) is contained in the union of 
the sets 04(A a ), it follows from R4(c) that Tuples {C, Cr) — >2 (k, P, true, A, V), which is 
a contradiction. | 
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